docs
/
Go to coder.comRequest SupportRoadmap
docs
/
Home
About
Comparison
Feedback
Getting started
Workspaces
Getting started
Lifecycle
Editors and IDEs
Autostart
Dev URLs
Docker in workspaces
Workspace parameters
Environment variables
Personalization
User preferences
Progressive web apps
SSH access
Workspace templates
Workspace templates
Workspace template code completion
Images
Import
Structure
Tags
Custom image creation
Configure
SSL certificates
Deprecate
Embeddable button
Command line
Installation and setup
Remote terminal
File sync
Workspace management
Setup
Architecture
Requirements
Kubernetes
Local preview
K3s
Amazon Elastic Kubernetes Service
Azure Kubernetes Service
Google Kubernetes Engine
Red Hat OpenShift
Installation
Configuration
Licensing
Updating
Air-gapped deployment
Network setup
Admin
Access control
User roles
Organization roles
Password reset
User management
Workspace management
Docker in workspaces
Extensions
GPU acceleration
JetBrains IDE installation
Memory provisioning
CPU provisioning
Shutdown
SSH configuration
Registries
Default registry
Google Container Registry
Workspace providers
Workspace provider deployment
Access URL
Account dormancy
Appearance
Audit
Browser security
Dev URLs
Git integration
Organizations
Usage metrics
Telemetry
Templates
Guides
Admin
Compute resources
Helm charts
Image tag names
Logging
OpenID Connect with Azure AD
OpenID Connect with Okta
Usage monitoring
Customization
Custom workspaces
Git configuration
macOS keybindings
Node.js Projects
Virtual Network Computing
Deployment
Coder installation from an archive
Managed code-server Workspaces
PostgreSQL
SAML 2.0 identity brokering
Teardown
SSL certificates
Azure DNS
Cloud DNS
Cloudflare
Route 53
Mobile development
Public API
Troubleshooting
Docker troubleshooting
Image registry troubleshooting
inotify watcher limit problems
TypeError: Failed to fetch
Changelog
1.20.0
1.19.1
1.19.0
1.18.1
1.18.0
1.17.4
1.17.3
1.17.2
1.17.1
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.2
1.15.1
1.15.0
1.14.4
1.14.3
1.14.2
1.14.1
1.14.0
1.13.2
Home
/
Setup
/
Kubernetes

Red Hat OpenShift

4 min read

Learn about deploying Coder in OpenShift Container Platform

This deployment guide shows you how to customize your OpenShift Container Platform cluster in order to deploy Coder. The OpenShift Container Platform includes default security features, notably the restricted Security Context Constraint (SCC), which can interfere with applications, including Coder.

This guide describes customizations to the OpenShift cluster as well as Coder that ensure an optimal user experience.

Prerequisites

  • An OpenShift cluster with a Project (Kubernetes namespace) for Coder
  • OpenShift command-line tools (oc and kubectl)

Modify pod and container security contexts

OpenShift's SCC feature enforces particular settings that applications must run with. The default restricted SCC requires that applications run as a user within a project-specific range (MustRunAsRange) and must not define a seccomp profile.

You can view the restrictions using oc describe scc restricted:

$ oc describe scc restricted
Name:                                           restricted
Priority:                                       <none>
Access:
  Users:                                        <none>
  Groups:                                       system:authenticated
Settings:
  Allow Privileged:                             false
  Allow Privilege Escalation:                   true
  Default Add Capabilities:                     <none>
  Required Drop Capabilities:                   KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:                         <none>
  Allowed Seccomp Profiles:                     <none>
  Allowed Volume Types:                         configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:                          <all>
  Allowed Unsafe Sysctls:                       <none>
  Forbidden Sysctls:                            <none>
  Allow Host Network:                           false
  Allow Host Ports:                             false
  Allow Host PID:                               false
  Allow Host IPC:                               false
  Read Only Root Filesystem:                    false
  Run As User Strategy: MustRunAsRange
    UID:                                        <none>
    UID Range Min:                              <none>
    UID Range Max:                              <none>
  SELinux Context Strategy: MustRunAs
    User:                                       <none>
    Role:                                       <none>
    Type:                                       <none>
    Level:                                      <none>
  FSGroup Strategy: MustRunAs
    Ranges:                                     <none>
  Supplemental Groups Strategy: RunAsAny
    Ranges:                                     <none>

You can override the default settings by defining the following in your Helm Values file:

coderd:
  podSecurityContext:
    runAsUser: null
    seccompProfile: null
  securityContext:
    seccompProfile: null

Option 1: Add the environments service account to anyuid or nonroot

Coder's default base images for workspaces, such as enterprise-base, run as the coder user (UID 1000). By default, the OpenShift platform does not allow running with this user, as service accounts use the restricted SCC by default, and must run with a project-specific UID.

Coder creates workspaces in pods with the service account environments, and we recommend adding this service account to the anyuid or nonroot Security Context Constraint using:

$ oc adm policy add-scc-to-user nonroot -z environments
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:nonroot added: "environments"
$ oc adm policy who-can use scc nonroot
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: coder
Verb:      use
Resource:  securitycontextconstraints.security.openshift.io

Users:  system:admin
        system:serviceaccount:coder:environment

Option 2: Build images compatible with OpenShift

In order to run Coder workspaces without modifying Security Context Constraints, you can modify the user and permissions from the base images. First, determine the UID range for the project using:

$ oc describe project coderName:                   coder
Created:                10 days ago
Labels:                 <none>
Annotations:            openshift.io/description=
                        openshift.io/display-name=
                        openshift.io/requester=kube:admin
                        openshift.io/sa.scc.mcs=s0:c26,c10
                        openshift.io/sa.scc.supplemental-groups=1000670000/10000
                        openshift.io/sa.scc.uid-range=1000670000/10000
Display Name:           <none>
Description:            <none>
Status:                 Active
Node Selector:          <none>
Quota:                  <none>
Resource limits:        <none>

Create a BuildConfig that outputs an image with a UID in the given range (in this case, sa.scc.uid-range begins with 1000670000):

kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
  name: example
  namespace: coder
spec:
  triggers:
    - type: ConfigChange
  runPolicy: Serial
  source:
    type: Dockerfile
    dockerfile: |
      FROM docker.io/codercom/enterprise-base:ubuntu

      # Switch to root
      USER root 

      # As root, change the coder user id
      RUN usermod --uid=1000670000 coder

      # Go back to the user 'coder'
      USER coder
  strategy:
    type: Docker
    dockerStrategy:
      imageOptimizationPolicy: SkipLayers
  output:
    to:
      kind: ImageStreamTag
      name: 'enterprise-base:latest'

When creating workspaces, configure Coder to connect to the internal OpenShift registry and use this base image.

See an opportunity to improve our docs? Make an edit.

Go to coder.comGitHub